Risk-Informed Design Guidance for Gen IV Reactors
22.39 Elements of Reactor Design, Operations, and Safety Lecture 25
Fall 2006
George E. Apostolakis Massachusetts Institute of Technology
Why Risk-Informed Design?
• The NRC is preparing a new risk-informed licensing process for future reactors.
• DOE (NERAC) goals refer to “reliable” reactivity control and decay heat removal.
• Important uncertainties are identified early.
• The combination of the structuralist (i.e., defense in depth) and the rationalist (i.e., risk-based) safety philosophies could be addressed early in the process.
• Design options can be compared.
• PRA methodological needs are identified early so that improvements can be made.
Sorens e n, J. N., Apostolak is, G. E., Kre s s , T. S., a n d Po wers, D. A., “On the Ro le of Defense in Depth in Risk -Informed Regulation,” Proceedings of PSA ‘99, International T opical Meeting on P robabil isti c Safety Asse ssment , pp. 408-413, Washi n gton, DC, August 22 - 2 6, 1999, American Nuclear Society, La Grange Park , Illinois .
Technology-Neutral Regulatory Framework (NUREG-1860)
• T his alt ernative to 10 CFR 50 woul d have the foll owing advantages:
It would require a broader use of design-specific risk information in establishing the licensing basis, thus better focusing the licensing basis, its safety analysis and regulatory oversight on those items most important to safety for that design.
It would stress the use of performance as the metrics for acceptability, thus providing more flexibility to designers to decide on the design factors most appropriate for their design.
It would be written to be applicable to any reactor technology, thus avoiding the time consuming and less predictable process of reviewing non-LWR designs against the LWR oriented 10 CFR 50 regulations, which requires case- by-case decisions (and possible litigation) on what 10 CFR 50 regulations are applicable and not applicable and where new requirements are needed.
It would provide the foundation fo r technology-specific implementation, through the use of technology-specific implementing guidance in those areas unique to a specific technology.
Technology-Neutral Regulatory Framework (USNRC)
A t om i c E ne r gy A c t
a n d t h e S t a t u t e s t h a t A m e n d e d I t
C h a p t e r 4
Ri s k & De s i g n /
C on s t r uc t i o n / O pe r a t i on O b j ect i ve s
C h a p t e r 3
P r o t ec t i ve S t r a t e g i e s
P r o t e c t i v e S t r a t e g i e s
C h a p t e r 5
D e f e n se- i n - D e p t h
B a r r i e r In t e g r it y
L i m i t I n i ti a ti n g
E v e n t
F r e q ue nc i e s
P r o t e c t i v e S y s t e m s
Ac c i d e n t
M a n a g e m e n t
A E A
S G Q H O
D e s i g n ,
C o n s t r u c t i o n , O p e r a t i o n O b j e c t i v e s
F r e q u e n c y -
C o n s e q u e n c e “F -C ’ C u rv e s
D B A s a n d A c c e pt an c e
C r i t e r i a
P h y s i c a l P r o t e c t i o n ( n o t ex a m i n ed i n t h i s
f r amew o r k)
C h a p t e r 6
T ech n o l o g y- N e u t r al
R e q u i r em en t s & R e g u l a t i o n s
Department of Nuclea r S c ien ce and Engineering 5
Defense in Depth
• T he defense-in-depth principles address the various types of uncertainty (i.e., parameter, modeling and completeness) and require designs to:
consider intentional as well as inadvertent events;
include accident preventio n and mitigation capability;
ensure key safety functions are not depe ndent upon a s i ngle element of design, construction, maintenance or operation;
consider uncertainties in equipment and human performan ce and provide appropriate safety margin;
provide alternative capability to prevent unacc eptable releases of radioactive material; and
be sited at locations that facilitate pr otection of public health and safety.
Protective Strategies
• T he protective s t rategies address accident prevention and mitigation and consist of the following:
physical protection (provides pr otection against intentional acts);
mainta in ing stable operatio n (provides measures to reduce the likelihood of challenges to safety systems);
protective systems (provides highly reliable equipment to respond to challenges to safety);
mainta in ing barrier in tegrity (provides isol ation features to prevent the release of radioactive material into the environment); and
protective actions (provides planned activities to mitigate any impacts due to failure of the other strategies).
1E - 2
1E - 3
1E - 4
1E - 5
1E - 6
Frequency-Consequence Curve
Above 100 re m t he threshold f o r early fatality is exceeded; above 300-400 re m, e a rl y
f a tality quite lik
capped a t 500
ely; curve is re m
A c ce pt a bl e R e gi on
1E - 7
0.1 1 . 0 1 0 .0 1 0 0 . 0 1 0 0 0 . 0
D o s e , r e m
100 m r e m /yr – public dose limit in 10CFR50 App I
1 rem/event – t riggers EPA protect ive a c t i on guidelines
25 re m/event – t riggers abnor mal occurrence r eporting; l i m i t in 50.34a and Part 100 for siting
50 re m/event – t riggers early health effects
Comments on the F-C Curve
• T he PRA results must demonstrate that the total integrated risk from the PRA sequences satisfy both the latent cancer QHO and the early fatality QHO.
• T he summation of the risk from all the PRA sequences is carried out using the mean value of each sequence dose and frequencies.
• M eeting the F-C curve imposes additional constraints in addition to satisfying the QHOs because specific dose limits are imposed at all frequencies.
• Both the individual risk of each new reactor and the integrated risk from all of the new reactors at one site, associated with a future combined license application, should not exceed the risk expressed by the QHOs.
• It is not required that the integrated risk from existing reactors, where there are multiple reactors at a single site, meet the risk expressed by the QHOs, even though the site may be considered for new reactors.
Licensing Basis Events (LBEs)
• E vent sequences that must be consi d ered in the safety analysis of the plant and must meet some deterministic cr iteria in addition to meeting t he frequency-consequence curve.
• P urpose:
to provide assurance that the design meets the design criteria for various accident challenges with adequate defense-in-depth (including safety margin) to account for uncertainties, and
to evaluate the design from the standpoint of the dose guidelines in the siting criteria of 10 CFR P art 100.
LBE Selection using PRA
1. Drop all PRA sequences with point estimate frequency < 1.E-8/yr.
2. For sequences with point estimate frequen cies equal to or greater than 1E-8, determine the mean and 95th percentile frequency.
3. Identify all PRA event sequences with a 95th percentile frequency > 1E-7 per year.
4. Group the PRA event sequences with a 95t h percentile frequency > 1E-7 per year into event class e s (similar initiating events and similar accident behavior in terms of system failures and/or phenomena; similar source terms).
5. Select an event sequence from the event class that represents the bounding consequence.
6. Establish the LBE’s frequency for a given event class. The frequency of an event class is determined by setting the LBE’s m ean frequency to the highest mean frequency of the event sequences in the event class and its 95th percentile frequency to the highest 95th percentile frequency of the event sequences in the event class.
7. Verify that each LBE meets the acceptance criteria.
LBE Frequency Categories
|
Category |
F requency |
B asis |
|
frequent |
> 10 -2 per year |
Capture al l event sequences expected to occur at least once in lifetime of a plant, assume lifetime of 60 years |
|
infrequent |
10 -5 < to < 10 -2 per year |
Capture al l event sequences expected to occur at least once in lifetime of population of plants, assume population of 1000 reactors |
|
rare |
10 -7 < to < 10 -5 per year |
Capture al l event sequences not expected to occur in the lifetime of the plant population, but needed to assess Commis sion’s safety goals |
Deterministic Criteria for LBEs
• In the “frequent” range:
no impact on the s a fety analysis assumptions occurs
no barrier fa ilure occurs
redundant means of reactor shutdown remain functional
redundant means of decay heat removal rem a in functional
the cumulative dose meets the 5 mrem dose s p ecification of Appendix I of 10 CF R 50
• In the “infrequent” range:
a coolable geometry is maintained
at least one barrier remains
at least one means of reactor shutdown remains functional
at least one means of decay heat removal remains functional
the cu m u lative dose of LBEs with fr equencies greater than or equal to 1E -3 per year, has to meet the 100 m r em specification of 10 CFR Part 20.
fo r L B E s w ith f r e que nc ie s le ss th an 1E-3 per year the worst (m axim um based on meteorological conditions) two hour dose at the EAB (exc lusion area boundary) meets the F-C curve
• For the “rare” range, no additional deterministic (DiD) criteria apply.
the 24 hour dose at one mile from the E A B meets the F-C curve
|
Category (Mean Event Frequency per reactor year) |
PRA statistic for me e ting F - C cu rve |
LBE stati s tic for meeting F-C cu rv e |
Addi t i onal ac c eptance criteria for LBEs (demons trated w ith calculations at t he 95% probabil i ty val u e* w ith Suc c es s criteria that me e t adequate Regulatory margin) |
|
frequent ( ≥ 10-2) |
mean |
95 th percenti le* |
no bar r ier fa ilure; no im p a ct on safety analysis as s um pti ons; redundant means for r eactor shutdown and decay heat rem oval remain functional; annual dose to a recept or at t he EAB ≤ 5mr e m TEDE |
|
infrequent (< 10-2 to ≥ 10- 5) |
mean |
95 th percentile* |
a t least one ba r r ier r emains; a coolable geo m etry is maintain ed; at least one means of reactor shutdown and decay heat rem o val remain s functional; for LBEs with frequency > 1E-3 an n ual dose to a receptor at t he EAB ≤ 10 0 m rem TEDE; for LBEs with frequency < 1E-3 t h e worst t wo-hour dose at t he EAB me e ts the F-C curve |
|
rare (<10-5 to ≥ 10- 7) |
mean Department of |
95 th percenti le* Nuclea r S c ien ce and |
24 hour dose at 1 m i le from EAB me e ts the F-C curve Engineering 14 |
Notes
• W ith the exception of the source term, realis tic calculations are carried out to obtain the mean and uncertainty distribution of the important parameters for estimating frequency and consequences.
• Source Term calculations use the 95% probability value of the amount of radionuclides released, obtained from a mechanistic calculation, and use RG 1.145 or the equivalent for calculating atmospheric dispersion.
• E AB - e xclusion area boundary
• TEDE - t otal effective dose equivalent
• * The upper value of the 95% Bayesian probability interval .
Start w i th “bare-bones” design w i th minimu m combina t ion of s t ructures, sy stems, an d components necessa ry for the system function to be accomplished.
The MIT Risk-Informed Design Process
Step 1 Formulate Design
Modify Design
Step 2 Analyz e Design
(PRA)
Una cceptable
Step 3 Screening C riteria
(Determinis tic, Probabi l ist ic )
Ex emption Granted
• Best Engineering Practi ces
• Structuralist defense in depth.
A cceptable
Step 4 Deliberate and Choose
the Best Design
Apostolak is, G.E., Golay, M.W., Camp, A.L., Durán, F.A., Finnicum , D., and Ritterbusch, S.E., “A New Risk-Informed Design and Regulatory Process,” Pro ceedings of the Ad vis o r y Comm ittee on Reactor Safeguards Work shop on Future Reactors , June 4-5, 2001, NUREG/CP-0175, US Nuclear Regulatory Commission, Washi n gton, DC, 2001.
PRA as a Design Tool
• Overal l Objective: Eliminate Severe Accident Vulnerabilities
• PRA Provides a Systemati c Means for Finding and Eliminating these Vulnerabilities
• Effectiveness May Be Limited by Information Availability Early in Design Phase
• Easier to Make Corrections Earli er in Design Phase
• Imperfect Tool is Better than None at All
GE Presentation to the ACRS PRA Subcommit t ee, April 20, 2006.
Evolution of a Design and PRA
Conceptual De sign
Design Base (DCD)
Detai led De sign
Construction De sign
Plant in Operation
Will Design be Licensed?
Can Design be Licensed?
Is Design Feasible?
Confirmation of A ssumptions
Confirmation of A ssumptions
Low Design Detai l
Major Components Specified
All Components Specified
All Components De scrib e d
All Components De scrib e d
Qualitative Ri sk A sse ssment
Qualitative & Quantitative PRA
Quantitative PRA with Gaps
Quantitative PRA with Fewer G aps
A s-Bu ilt As-Oper ated
PRA
Defense-in- Depth Concepts
Defense-in- Depth A n alyz ed
Defense-in- Depth Mostly Re so lve d
No Defense- in-Depth Issues
No Defense- in-Depth Issues
Pa st Vulnerabilities Addressed
Sequence Level Vulnerabilities Eliminated
System Level Vulnerabilities Eliminated
Component Level Vulnerabilities Eliminated
All Vulnerabilities Eliminated
GE Presentation to the ACRS PRA Subcommit t ee, April 20, 2006.
Applications
• IRIS ( Y. Mizuno, H. Ninokata, and D. J. Finnicum, “Risk-informed design of IRIS using a level-1 probabilistic risk assessment from its conceptual design phase,” Reliability Engineering and System Safety, 87:201–209, 2005)
• GFR: Decay Heat Removal after a LOCA ( Delaney, M. J., Apostolakis,
G. E., and Driscoll, M. J., “Risk-Informed Design Guidance for Future Reactor Systems,” Nuclear Engineering and Design, 235:1537-1556, 2005)
• GFR: Uncertainties in Passive Cooling Systems ( Pagani, L. P., Apostolakis, G. E., and Hejzlar, P., “The Impact of Uncertainties on the Performance of Passive Systems,” Nuclear Technology, 149:129-140, 2005)
ECCS Designs 1-6 (LOCA)
Ba re-bones system of MI T G F R concept (SCO 2 cooled, direct cy cl e)
Figure removed due to copyright restrictions.
See Delan e y, M. J., Apostolaki s, G.E., and Driscol l, M.J., “Risk-Informed Design Guid a n ce for Future Reactor
Systems.” N uclear Engineerin g and D e sign 235 (2005):1537-1556.
Design s 1 - 6
1. Bare-bones system
2. +Diesel (1x100% ), DC battery (1x100% )
3. +Diesel (1x100% ), DC battery (2x100% )
4. +Diesel (2x100% ), DC battery (2x100% )
5. +Diesel (2x100% ), DC battery (2x100% ), DC transmission (2x100%)
6. +Diesel (3x100% ), DC battery (2x100% ), DC transmission (2x100%)
Design 7: Secondary Onsite AC Power
Figure removed due to copyright restrictions.
See Delan e y, M. J., Apostolaki s, G.E., and Driscol l, M.J., “Risk-Informed Design Guid a n ce for Future Reactor
Systems.” N uclear Engineerin g and D e sign 235 (2005):1537-1556.
Desig n 7
• Diesel (3x100% )
• DC battery (2x100%)
• DC transmission (2x100% )
• Turbine (1x100%)
• Accumulator(1x100%)
• Electric valve (1x100%)
• Generator (1x100%)
• Secondary electric motor
Design 8: Microturbine (secondary onsite AC power)
Figure removed due to copyright restrictions.
See Delan e y, M. J., Apostolaki s, G.E., and Driscol l, M.J., “Risk-Informed Design Guid a n ce for Future Reactor
Systems.” N uclear Engineerin g and D e sign 235 (2005):1537-1556.
Desig n 8
• Diesel (3x100% )
• DC battery (2x100%)
• DC transmission (2x100%)
• Microturbine (1x100%)
• Natural gas accumulator(1x100%)
• Electric sw itch (1x100% )
• Generator (1x100%)
• Offsite natural gas connection (1x100%)
• Secondary electric motor
Design 9: Nitrogen Accumulator
Figure removed due to copyright restrictions.
See Delan e y, M. J., Apostolaki s, G.E., and Driscol l, M.J., “Risk-Informed Design Guid a n ce for Future Reactor
Systems.” N uclear Engineerin g and D e sign 235 (2005):1537-1556.
Desig n 9
• Diesel (3x100% )
• DC battery (2x100%)
• DC transmission (2x100% )
• Nitrogen accumul a tor(1x100%)
• Electric valve
• Pressure valve
• Tu rbine
Event Tree (Designs 1-6)
Loss of Coolant Ac c i de nt
Reactor Trip Offs ite Po we r On s ite Dies els On s ite DC p o wer for
instrumentation
Emergen c y Cor e Coolin g Sy ste m
1 O K
2 DAMAGE
3 DAMAGE
4 O K
5 DAMAGE
6 DAMAGE
7 DAMAGE
8 DAMAGE
Results of the Iterative ECCS Design Guidance
|
Design |
Configuration |
CDF (3x100% ECCS L oops) |
CDF reduction factor |
|
1 |
No Diesels, 1x100% DC Battery |
1.21 x10 -5 |
1.00 |
|
2 |
1x100% Diesel, 1x100% DC Battery |
1.29 x10 -6 |
9.4 |
|
3 |
1x100% Diesel, 2x100% DC Battery |
8.59 x10 -7 |
14.1 |
|
4 |
2x100% Diesel, 2x100% Battery |
3.11 x10 -7 |
39.0 |
|
5 |
2x100% Diesel, 2x100% Battery, 2x100% Transmission |
2.47 x10 -7 |
49.0 |
|
6 |
3x100% Diesel, 2x100% Battery, 2x100% Transmission |
1.64 x10 -7 |
73.8 |
|
7 |
3x100% Diesel, 2x100% Battery, 2x100% Transmission, 1x100% Secondary onsi te Turbine |
7.96 x10 -8 |
152.0 |
|
8 |
3x100% Diesel, 2x100% Battery, 2x100% Transmission, 1x100% Secondary onsi te Microturbi ne |
7.58 x10 -8 |
159.6 |
|
9 |
3x100% Diesel, 2x100% Battery, 2x100% Transmission, Nitrogen Accum u l a tor |
1 .35 x10 -7 |
89.6 |
PRA Insights
|
Desig n Num ber |
Co nfi g uratio n |
PRA I n si g h ts ( 3 x1 00 % EC C S L oops) |
|
1 |
N o Di esel s, 1x 10 0 % DC B a ttery |
LOOP accounts for ~99 % of risk |
|
2 |
1 x10 0 % D i ese l , 1x1 00 % D C Battery |
Fail ure of diesel is largest contri butor to ri s k (50.3 % ) |
|
3 |
1 x10 0 % D i ese l , 2x1 00 % D C Battery |
1 Diesel account for 86.6% of ris k |
|
4 |
2 x10 0 % D i ese l , 2x1 00 % Ba tt e r y |
LOOP + CCF of diesels acc o unts for 14.5% of risk LOOP + random fail ure of diesel s accoun ts for 27.1 % of risk 1 D C Transmissi on l oop a c c o unt s f o r 25 .1% o f risk |
|
5 |
2 x10 0 % D i ese l , 2x1 00 % Ba tt e r y , 2x 1 00% T r an smi ssi o n |
LOOP + CCF of diesels acc o unts for 18.5% of risk LOOP + random fail ure of diesel s accoun ts for 35.5 % of risk |
|
6 |
3 x10 0 % D i ese l , 2x1 00 % Ba tt e r y , 2x 1 00% T r an smi ssi o n |
LOOP + CCF of diesels acc o unts for 2.84% of risk LOOP + random fail ure of diesel s accoun ts for 1.8 % of risk |
|
7 |
3 x10 0 % D i ese l , 2x1 00 % Ba tt e r y , 2x 1 00% T r an smi ssi o n , 1 x 1 00% Secondary onsite T u rbi n e |
~99 % of risk due to CCF of ECCS or DC compone n ts |
|
8 |
3 x10 0 % D i ese l , 2x1 00 % Ba tt e r y , 2x 1 00% T r an smi ssi o n , 1 x 1 00% Secon d a ry on site Microturbi ne |
~99 % of risk due to CCF of ECCS or DC compone n ts |
|
9 |
3 x10 0 % D i ese l , 2x1 00 % Ba tt e r y , 2x 1 00% T r an smi ssi o n , Ni troge n Ac cumul a tor |
~99 % of risk due to CCF of ECCS compone n ts |
|
9 |
3 x10 0 % D i ese l , 2x1 00 % Ba tt e r y , 2x 1 00% T r an smi ssi o n , Ni troge n Ac cumul a tor |
~86.6 % of risk due to CCF of ECCS compone n ts 12.1% of risk due to random fail ure of ECCS components |
Criteria and Goals
• Deterministi c Criterion (General Design Criterion 35)
An ECCS must be designed to wi thstand the following postulated LOCA : A do uble-ended break of th e largest reactor coolant line, the concurrent loss of offsite pow er, and a single failu re* of an active ECCS component in the worst possible place.
*Common-cause failures are not considered single failures.
• Probabilisti c Goal
f LOCA = 5.45x10 -4 per reactor year → “infrequent initiator” →
Conditional Core Damage Probability (CCDP) ≤ 10 -2 AND
f LOCA x CCDP ≤ 10% of the CDF goal of 10 -4 per reactor year = 10 -5
CCDP ≤ 10 -2 is the only goal in this case
Screening based on Probabilistic Goals (Designs 1-5)
|
Conditional Core Damage Probability given a LOCA |
||||||
|
Number of ECCS Loops |
||||||
|
Design |
1x100% |
2x100% |
3x50% |
3x100% |
4x50% |
PRA Insights |
|
(3x100% ECCS Loops) |
||||||
|
Mean CCDP |
||||||
|
1 |
No |
No |
No |
No |
No |
L O OP accounts for ~99% of ris k |
|
2. 51 E - 0 2 |
2. 20 E - 0 2 |
2. 20 E - 0 2 |
2. 20 E - 0 2 |
2. 20 E - 0 2 |
||
|
2 |
Yes* |
Yes* |
Yes* |
Yes* |
Yes* |
Fa il ure o f d iesel is l a rg est c ontributo r to risk (5 0.3 % ) |
|
5. 71 E - 0 3 |
2. 32 E - 0 3 |
2. 36 E - 0 3 |
2. 31 E - 0 3 |
2. 31 E - 0 3 |
||
|
3 |
Yes* |
Yes |
Y es |
Yes |
Y es |
1 Diesel accounts for 86.6 % of ris k |
|
4. 86 E - 0 3 |
1. 68 E - 0 3 |
1. 72 E - 0 3 |
1. 67 E - 0 3 |
1. 67 E - 0 3 |
||
|
4 |
Yes* |
Yes |
Y es |
Yes |
Y es |
L O OP + CCF of diesels a ccounts for 14.5 % of risk |
|
3. 82 E -0 3 |
5. 97 E -0 4 |
6. 29 E -0 4 |
5. 81 E -0 4 |
5. 81 E -0 4 |
L O OP + ran d o m fai l u re of di esel s a ccou n ts for 2 7 . 1 % of risk |
|
|
1 D C Transmissi on l oop a c c o unt s f o r 25 .1% o f risk |
||||||
|
5 |
Yes* |
Yes |
Y es |
Yes |
Y es |
L O OP + CCF of diesels a ccounts for 18.5 % of risk |
|
3. 75 E -0 3 |
4. 69 E -0 4 |
5. 02 E -0 4 |
4. 52 E -0 4 |
4. 52 E -0 4 |
L O OP + ran d o m fai l u re of di esel s a ccou n ts for 3 5 . 5 % of risk |
|
* Did not meet deterministic criteria.
Insights
• Data ap propriate for gas reactors are needed.
• PRA insights were used to
change the configuration of the design (Designs 5 and 6)
add a secondary onsite pow e r source (Designs 7 and 8)
add a nitrogen accumulator system (Design 9)
• Several designs satisfied the probabilis t i c goals but not the d e terministic criteria. Are the latter “unn ecessary regulatory burden ? ”
• Design 8 (3x100% loops; microturbine; elimin ation of the failure-to-start mode for an onsite AC power supply) is be st in terms of CDF (7.58x10 -8 ry -1 ).
• Mircoturbines have never been used in a NPP emergency powe r supply system. As such, they will be thoroughly scrutinize d during the licensing process. Data are n eeded.
• Adding redundant ECCS loops beyond 2x100% cap ability does not result in signif icant improvement (Designs 1-8). This is due to the insensitivity of the CCF models.
No quantitativ e g u idance exists as to how the values of the beta factor change when the design changes.
Causes: hardw a re (48.3%), main tenance (26.1%), operations ( 14.1%), environment (11.5%).
• Deliberation allows
The inclusion of best engineering practices
Comparison w ith other NERAC goals (sustai n abili ty, economics, reliabi l i t y, proliferation resistance, and physical protection)